A key element of IT preparedness is keeping systems and applications updated and fully patched – streamlined software patch management a reality?
Managing modern IT infrastructure in all its complex glory creates a tremendous amount of pressure. Add to this the ever-present threat of a cyber attack — not to mention a connected workforce that doesn’t always consider organizational security a priority—and it becomes clear that preparedness is one of the most important things any IT professional can aspire to.
Although this might seem obvious, in the spirit of preparedness, ask yourself:
- How regularly am I performing security updates?
- How fast can I implement a software patch during a fire drill scenario?
- How effective is my overall patch process?
[pullquote-left]If answered honestly, it’s likely that your response to at least one of those questions is not what it should be.[/pullquote-left]
Thus, it’s probably worth a reminder that software patch management is the best strategy for maintaining security in your IT environment and should be a top priority for you.
That said, software patch management is not without its challenges. After all, if it were, you would have been able to answer all the above questions perfectly. So, to help, consider the following 10 steps of an effective software patch process.
1. Keep an eye out for security vulnerabilities
There are several ways to check for security threats. It helps to have patch management software that notifies you of newly available patches.
If you don’t receive automatic notifications, you can manually check for threats via Internet searches or by signing up to receive security alerts and bulletins from US-CERT.
2. Identify the impact of cyber threats on unpatched software
Not all security vulnerabilities and software patches will be relevant to your IT environment. Thus, it’s good to categorize the impact of threats affecting security vulnerabilities using a scale of low, medium or high to help you carefully plan your next steps. Impact assessment is easier if you have comprehensive hardware and software inventory data.
3. Prioritize patches
Unpatched software with critical flaws will compromise data, affect business productivity or both. However, rolling out all critical patches at once could break something in the network, and pinpointing root causes in such a situation is difficult.
This is why prioritizing your patches is so important. Do this by assessing the risk of every critical vulnerability and the systems or groups that would be affected by a security breach.
4. Create a backup plan
Design a contingency plan in case something does break during a patch process. You don’t want to create a situation where you are patching several production servers at once without backing up critical data or making emergency repair disks.
Back up the data on your workstations, too, and create a restore point or official image disk of critical files.
5. Test the software patch first
Test your patches in a lab environment before rolling them out globally. This applies to third-party and custom applications.
Identify and document the outcome of the patch operation, including tracking what breaks, where it breaks and how to fix it.
6. Approve software patch and define schedules
Approve software patches before rolling them out. If your patch management software supports update approvals, use this feature.
This gives you better control over the patch process by making sure you approve only the patches that have been certified by the software vendor or tested in a lab environment
7. Patch frequently used computers first
Some malware targets your workstations and steals login information and personal data from your most vulnerable computers—the ones used most often for daily transactions. These are the computers that need to be patched first.
If you can target users by Active Directory, that’s an added advantage for targeted patch rollouts.
8. Create pre- and post-installation scenarios
Cyber threats are most commonly aimed at Web browsers and Java and Adobe applications, so it becomes imperative to prevent failed updates by creating the right pre- and post-installation scenarios for successful installs, including starting or stopping services, terminating processes, etc. When testing the patch before deployment, make sure you decide on the right installation scenario, and replicate the same when deploying the updates.
9. Assess the post-patch status
You might think you just patched over a thousand workstations and a few hundred servers, but your post-patch status report could tell you otherwise. You must always assess your post-patch status by running a comprehensive report that tells you which computers did and did not install the updates, those that rebooted, failed to reboot, etc.
10. Document and repeat
The complexity of the patch process differs depending on your organization’s size and business requirements, but simplifying it is always a good idea. To do so, document the entire process following every successful patch deployment, which will simplify and streamline subsequent patches.
Following these steps to establish or streamline an effective patch management process can help you ensure you’re able to answer with confidence the next time you are asked how regularly you’re performing security updates, how quickly you can react to an emergency patch and how effective your overall process is.
Of course, even more important is that you can have confidence your infrastructure is safe from attack and your organization will be free of the hefty non-compliance related fines that could come from unpatched software.
And if you’re wondering how to best tackle these steps, remember that patch management tools can help automate them, relieving the burden on you to carry out each step manually.